Promoting good management of risk and uncertaintyMaking risk management / internal control happen

by Matthew Leitch; first appeared on www.irmi.com in July 2006

Identifies ways that risk managers and internal control managers can create willingness to implement risk control improvements.

Describes the main mechanism by which change actually takes place in most cases where there is no legal or regulatory imperative.

Explains how to use the RUMA survey tool to identify people likely to be supportive of risk control initiatives, and do some useful risk education at the same time.

In previous articles for IRMI I have explained how people tend to behave in ways that suppress or just ignore risk and uncertainty, and that tackling this is a key task for risk and internal control managers. (For example, in “Embedding risk management: easier, better, faster”.)

How should the risk/control manager proceed, when outnumbered thousands to one by other employees and without line authority with which to insist that things get done right?

Getting new procedures, policies, and tools implemented without direct authority is the main problem for such managers.

In this article I will describe approaches to this problem, including a new intelligence gathering survey tool that can help. I will also explain the results of some online research carried out earlier this year that sheds light on the possible results of using the tool.

The main ways that change is usually achieved

Risk/control managers generally persuade others to do things by the following means:

Borrowed authority: This is when some senior figure or group makes statements about the importance of risk management/control, or authorises a project, or holds meetings the manager can attend and report to. These give the manager an opportunity to show connection to a source of power.

Power from regulations: Very often the power comes from outside the organisation in the form of imposed regulations – Sarbanes Oxley, Turnbull, Basle II, and so on.

Riding other initiatives: In this approach the manager takes advantage of the impetus behind some other initiative and just ensures that his/her ideas are picked up in the other, perhaps better supported, initiative.

Using personal charm: Despite the emphasis on regulations and senior support the day to day influence of risk/control managers still rests largely on their personal charm and helpfulness.

Results tend to be patchy. Even with scary regulations approaching, continuous senior support, and great personal charm there will still be detractors, resistance, complaints, delays, people who do not do what they should do or even promised to do, and outright enemies who dig in, hold out, and wait for an opportunity to kick back.

A strategy based on how things often work

But there is a happy side. Along with the detractors there are usually people who are interested, keen to be involved, and eager to try new things. These people sometimes, but not always, have more to gain from the idea than others, as well as more relevant knowledge.

Their involvement is tremendously valuable to the risk/control manager because these enthusiasts will put up with the rough edges of new procedures and tools. They will have suggestions for improvement and a high chance of getting good results. Beneficial changes with these people are more likely to stick.

It usually makes sense to search for such people, deliberately, and work with them first. Experience with these early adopters is a good opportunity to refine the process or tool, and get some results with it that will build the case for wider adoption.

Having achieved some success with the first group, move on to the next most willing group, and so on. Eventually the only people left will be the die hards, left in a minority, with little to complain about, and facing ample evidence of effectiveness and benefits.

Even the longevity of the approach and the growing body of documentation and software, lends credibility to it.

Of course, if the process or tool is not effective and doesn’t improve enough from the early trials, then drop it if possible. It may also be that complete roll out is not necessary and that at some point the roll out should stop, so that it only includes the people for whom it is beneficial.

How to find friends

Starting with “friends” of a project, process, or tool is common sense. How do you find them? Some obvious ways are:

By trial and error: Try to promote a risk/control programme and some people will speak in favour and some against. Those who speak can be classified.

Guessing from roles: Roles tend to suggest the interests of the people who occupy them. The head of internal audit is likely to be more interested than the head of marketing, for example.

Guessing from experiences: Recent experiences tend to affect what people are interested in. If a line manager has just been badly burned by a project where risk was mismanaged he/she is likely to be more interested in related things.

Following up contacts: Friendly people will often suggest the names of others who are likely to be friendly towards an idea.

Another method is to gain this information as a side benefit of an online survey to understand how risk and uncertainty are currently managed in the organisation.

The RUMA survey tool

Early in 2006 I developed the first version of a suitable survey – the only one of its kind, as far as I know. It is called the Risk and Uncertainty Management Assessment (RUMA) survey tool.

The first version described four scenarios that typify situations managers often face that involve risk and uncertainty. In these situations there are pressures to ignore the uncertainty, which is what makes reactions to the scenarios so informative.

The respondent is presented with five actions that could be taken in each scenario (not necessarily mutually exclusive) and asked to rate every action on a scale from “Great” to “Awful”. (This survey style is much more informative, per scenario, than multiple choice.)

The survey tool also asks for a certainty rating for every action rating. From this it is possible to see where people are confident of their answers, and where they struggle to decide.

Results from research

In early April 2006 the first version of the RUMA survey was used in an online survey with 90 volunteer respondents. The response to calls for respondents was more than twice that for any previous survey I have promoted in the same way, so it seems many people quite liked tackling the scenarios.

The results provide a fascinating insight into how people view these situations and the risk of inappropriate behaviour.

Overall, the collective wisdom of respondents was impressive. In almost every case the most favoured actions are also the open, honest, rational, objective ones where uncertainty is dealt with instead of suppressed.

However, individual responses were less consistently laudable. Most people favoured several actions that were less than ideal, usually giving positive ratings to actions with hidden dangers.

Some people seemed, overall, considerably more inclined to suppress or ignore risk than others. The survey responses were highly revealing.

There were also a few actions that people on the whole favoured but that have hidden dangers.

In one scenario the respondent was asked to imagine being a senior government official in charge of a major building project, with builders, surveyors, and architects involved. Everything is going well and to schedule on the project but a row has broken out between a company contracted to pre-fabricate a complex glass roof section and the other parties. The glass company say the design won’t work. The architects disagree and everyone is blaming someone else. The question is, do you tell your boss about this problem and, if so, how?

The most strongly supported action was to give your boss a full briefing covering all major areas of risk and uncertainty on the project, including the roof worry. However, the next most supported approach, and one approved of by most people, was to find a solution to the problem first, and only then tell the boss. Quite probably you too think this sounds a sensible approach, but read on.

The real life case on which this scenario was loosely based, the Holyrood building project in Scotland, led to a public enquiry to discover why the project had gone 1,000% over budget. Among many other failings it was found that as the architect submitted a series of designs that were more costly than the budget the officials involved had decided they could not share this cost risk with ministers without having a solution first. However, they never found a solution and so did not share the risk upwards.

Does finding a solution first still seem so attractive?

Full details are given in “Individual differences in risk and uncertainty management” here.

Uses of RUMA

The main use of RUMA is to understand the overall culture of risk and uncertainty management in an organisation. However, as a side benefit it should be possible to identify people, and groups of people, whose preferences indicate they would be friendly towards risk/control initiatives, and others who perhaps should be involved later on if at all.

Summary

Getting good things to happen without line authority is the key challenge for risk/control managers. One tactic that can be very useful is to try out new ideas with people in the organization who are in favour and enthusiastic about them, and then roll on from there, either stopping when people stop getting benefit, or rolling on until even the staunchest opposition is included.
The RUMA survey tool is just one way to find the friends needed, and also provides a detailed and fascinating picture of thinking about risk and uncertain in common management situations.

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website, www.WorkingInUncertainty.co.uk, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more